Posted
by
timothy
on Saturday October 08, 2011 @05:47PM
from the new-meaning-for-parental-support dept.

CNET reports that as of yesterday, a new Chrome extension will "let a person on one computer remotely control another across the network." The new remote-desktop capability is in BETA (Google's all-caps version, for emphasis), but is said to work to control any OS from any other OS, so long as both sides are equipped with Chrome and the new extension. Related: Wired is running a profile of
Rajen Sheth — "father of Gmail," and now in charge of Google's Chromebook project as well.

It actually sounds brilliant. Normally I have to direct clients, friends, family to a remote-support site, direct them to download the generated.exe, and run it to allow me in (actually, I usually end up permenantly installing said agent). Think LogMeIn Rescue, or TeamViewer (we actually use Bomgar).

If this works as advertised, it could make things a whole lot easier. Combined with the fact that Chrome can be deployed as an MSI, and extensions can be pushed and locked with GPOs, this could make support much easier.

Check out Synergy [google.com], it allows you to share keyboard and mouse across multiple computers, but each needs it's own monitor. It also works across OS (linux, mac, windows). Another option, that sound more like what you want is italc [sourceforge.net]. It lets you remote control other PC's from one master PC. I deployed it in a Fire Department training room and they love it.

This isn't going to be very useful if it requires a user to be already logged in to work.

It has just that limitation:

The technology right now is limited so that permission must be granted each time remote administration is activated. "This version enables users to share with or get access to another computer by providing a one-time authentication code. Access is given only to the specific person the user identifies for one time only, and the sharing session is fully secured,"

This isn't going to be very useful if it requires a user to be already logged in to work.

It sounds like it could be an alternative to WebEx, for those who use it for remote support.

It beats the hell out of trying to get most adults to follow simple verbal instructions.

Ever work a technical support job? After explaining to an otherwise educated person (i.e. educated stupid) for the fifth time that when you ask him to "right-click with the right mouse button" it is not the same as "double-click (with the left)" you start thinking about remote desktop yourself.

Thankfully that was a long time ago. After a while, you stop thinking of involuntary sterilization as a viable option.

After explaining to an otherwise educated person (i.e. educated stupid) for the fifth time that when you ask him to "right-click with the right mouse button" it is not the same as "double-click (with the left)" you start thinking about remote desktop yourself.

Three cheers for the CLI !! You IM the luser commands to run and have them paste in the results.

I work in tech support. I've encountered a few users who didn't even realise the round thing in the corner of Office was a menu until I opened it for them.

I've had one user who was amazed by my techno-skills when I opened the documents folder. Turned out she had spent the last two years managing documents by opening Word, selecting Save As and using the save dialog as a file manager.

To be fair, I'm a programmer, a user of both Linux and Windows, capable of fixing minor kernel bugs, and have about 30 years of experience with various user interfaces, regularly confuse people because of how fast I use most interfaces, and it took me a short while to work out that the marble thing in Office was the menu. When you're used to the menu being in the... menu bar (who'dathunk!) when it suddenly vanishes and gets replaced by the ribbon, you're inclined to think that that's where all the menu ite

We get that a lot. Our generic fix-everything solution is the profile reset - just wipes the users profile and replaces with default, which is usually much easier than diagnosing the specific problem. A side effect of this is that the recent documents listing is cleared, so we sometimes get recently-reset users calling in a panic because they think their documents have disappeared. Rather more commonly they call in a panic because they think software is no longer installed after it's icon vanishes from the

"OK now just right click that icon"...'but I'm left handed'
"No, take your finger and push the button on the right side of the mouse once and hold it down.. what do you see?".." My email browser explorer express just started up"
"no you clicked the LEFT button.. i want you to click the Right button!.. don't you know left from right"
"...hey don't get mad at me i'm not a computer EXPERT like you!"...20 minutes later...
that's click it TWO times.. double click means TWO clicks"
"...hey don't get mad at me i'm not a computer EXPERT like you!"....

Yeah, that's about how it goes. The ability to rub two brain cells together is suddenly defined as expertise...

I wonder, when a doctor writes a prescription and says something like "take this pill once a day", does anyone reply with "but I'm not a medical EXPERT like you!"?

what I find to work is a combination of join.me and teamviewer. https://join.me/ [join.me] is dead simple to get people to do "click the orange circle on the left...yes it to death until it gives you a nine digit number...what's the number...say 'yes' to let me remote control..." and then use that for userland stuff. One thing that join.me doesn't deal with well is UAC prompts - namely that it doesn't allow users to click on them, since it's sandboxed similar to the browser. If you're only going to hit one that isn't

They, and other non-MS remote control software need to run as admin at least once, so they can inject screen-mirroring drivers. The talking to the driver happens from non-admin mode later, but it only takes one admin session to infiltrate your system and work from there, if there's ANY malicious intent.

But back on topic, remote control isn't for the BLIND by any means; it MUST relay your screen by using "screen-mirroring" which requires vi

Thats not 100% accurate, we use Bomgar remote support which allows non-admins to run an agent to give us user-level access to their screen, remotely, even if it is our first time accessing said system. We also trial ran LogMeIn Rescue 2 years ago, which likewise did not require admin rights even for first time access-- even on Windows 7. However, in order to have access to the login screen, we would have to press a button to request UAC elevation.

Something else that I just don't get with "technology" like this is how it's mistakenly seen as "innovative" because it somehow involves a web browser, although it's something we have been able to do for decades using other software.

This is basically the same as telnet, or rsh, or ssh, or VNC, or the many other technologies that do the same thing. Fuck, this is something we could even do in the browser years ago! I remember using a Java applet that let me connect in to computers at work using ssh or VNC. Th

VNC will need you to walk grandma through a reboot, through configuring VNC, through configuring a port on her router, and then through turning VNC server off afterward to close the security hole.

Chro-mote will just need her to download and run a program, and then visit a particular URL, and maybe read a number to you over the phone. The lack of router config I think, is the biggest win here ; people are used to links, but not arcane looking network settings. She might not even know which IP address her rou

+1. The C.S.-101 catchphrase would be 'what is old is new again'. In a related vein, the computer developer in me was hit by Steve Jobs death, regardless of the fact that much of his modern fame involved not the main innovations, but rather polishing and driving them to market with a coherent vision (and the power that a deep bank account provides didn't hurt his odds either). I.e. the ipod was a brand of mp3 player, not a music playing device invention. Likewise this latest google gadget is a brand of

As an Archos Jukebrick fan myself, the innovative part that the iPod brought was bringing the technology to a functional level of convenience. The iPod was the first one that fit in your pocket.

I'm not going to be able to explain to my mother how to get an ssh server up and running on her machine. But getting Chrome installed with an extension? That I could believe.

The key is *enabling.* Twenty years ago, setting up an FTP based home file synchronization service was technically possible. But it was a huge PITA. DropBox automated everything with a simple single login. Similarly, simplifying VNC into something that everyone already has. That means that people who wouldn't have exposure to remote control, now do.

"As an Archos Jukebrick fan myself, the innovative part that the iPod brought was bringing the technology to a functional level of convenience. The iPod was the first one that fit in your pocket."

I owned a rio800 in 2001. Not much longer or thicker than its power source, a AA or AAA battery (I think the former, but thats still smaller than a deck of playing cards, and probably half the weight). I still would prefer to be able to carry bog standard extra power cells like a AAA to power my player, though my

The Rio800 was a flash-based player. A solid one... I had a Rio PMP300 and 500 as well, and gazed longingly at the Rio 800's 128MB of space. But the original iPod had a micro HDD, up until then only used in photography, which started at 5GB of space. They definitely were the first to jump down from notebook hard drives to micro drives, in order to get a HDD based player into your pocket.

The signature scroll wheel is also easier to navigate large lists of songs with. And Apple was the first to integrate

That is the key point of our disagreement I think. What you describe them doing to what you describe as a 'niche tech gadget', I would alternately call the blazing obvious happening to the blazing obvious mainstream device. There was nobody who in y2000 and much earlier, did not see that computer memory and processing devices were shrinking, and that as you could now have a music system in a PC size device, that eventually you would have one i

well the point was Google is once again doing something that was tried before in the past. sorry i was wrong about who gets credit for the idea... it just was VNC was my first remote graphical terminal/desktop sharing app. and it was called a virus by av scanners.

In other news a computer companies continue to provide users with a button to turn their computers on despite the obvious security risks introduced when the machine is running.

Everything is a security vulnerability. An OS is a vulnerability. Having a computer connected to the internet is a vulnerability. A web browser is a vulnerability. Even your post and the fact it was modded insightful is a vulnerability to the sanity and common sense of people reading it.

i realize you were being rather sarcastic, but there's a difference between "There is an attack surface that, given enough time, a determined hacker can exploit" and "there's an exorbitantly easy exploit being built directly into the browser".

"there's an exorbitantly easy exploit being built directly into the browser".

I wasn't being sarcastic at all. The parts of our lives that have been most helped by the emergency of technology are the most easy to exploit. They are all born out of convenience and interconnectivity.

My point is if you want security they you may as well give up many of the useful functions of your computer. You plug in a Windows XP machine to the internet and it gets owned before you even have a chance to load up the windows update server. Yet here we have a extension, unlikely to be very widely used, co

Or is your concern that its "within a browser", and thus inherently must be insecure?

In a nutshell, yes. One great way to take relatively small security concerns and greatly magnify them is to have a single application that tries to be everything and do everything for everyone. The browser is involved in too many different things as it is. As it becomes more and more central, it is also a more and more tempting target. A worst-case compromise now has fewer barriers in terms of the damage it can do.

Except that to all appearances this requires the user to go to a specific web site (or somehow generate a control code) and explicitly allow the connection. It's still not without some security concerns I suppose, but it would require a fair amount of fooling both Google and the user to abuse it. Mostly I can see it as being a great way to help friends/relatives with their computers. As a double plus good you can help your mom with her Mac from your Windows box, or your dad with his Windows box from your

Or is your concern that its "within a browser", and thus inherently must be insecure?

In a nutshell, yes. One great way to take relatively small security concerns and greatly magnify them is to have a single application that tries to be everything and do everything for everyone. The browser is involved in too many different things as it is. As it becomes more and more central, it is also a more and more tempting target. A worst-case compromise now has fewer barriers in terms of the damage it can do.

If you are (implicitly, of course) saying that adding remote access to an already complex Web browser has absolutely no security implications whatsoever and no amount of caution could possibly be reasonable, well, I say that statement carries with it a burden of proof. Until you demonstrate otherwise, that positive claim is rightly considered false.

Those who disagree with you by default are merely being sensible.

Hmmm. Isn't "a single application that tries to be everything and do everything for everyone" a reasonable description of the OS? I'm not attempting a reductio ad absurdum, but it seems to me your (legitimate!) concerns over the security issues involved when you start adding functionality to software had to be solved for the OS, and those lessons can be applied to the browser.

Once again, if your browser is exploited to the extent that the attacker can invoke that remote access plugin unauthorized, the battle is already lost-- they are running arbitrary code and could if desired download that plugin or another userland program on demand.

This is what I was thinking. If MS did this we would all be screaming about bloat and the security implications. Sure there may be millions of layers of security, but security has a way of being circumvented.

We are moving into another scary world with very little forethought. We are putting all our data online with free services without thinking deeply about securing that data. This is like when we hooked our computers to the internet without knowing that we were exposing ourselves to every two bit sc

Google is just catching up to Microsoft. Windows has had this capability for many years, of other people remotely accessing it. In fact, Microsoft has even had to apply major resources to reducing access to this feature, due to overwhelming demand.

Does Microsoft's solution work even over the Internet, when both machines are behind firewalls? How about when the machines are running different operating systems (i.e. not Windows)?

Agreed. I'll go one further - it is fscking stupid to allow a browser (which should be sandboxed and unable to access anything outside of its window frame) remotely control your machine. Dumb Dumb Dumb. Google used to understand this. Apparently they went insane recently?

They realize that consumers don't give a shit about security until you first give them enough convenience to hang themselves with; after that though they complain a lot but you already have all their money and their business by then so it doesn't matter.

The process which will 'control the machine' will most probably have almost nothing to do with the processes which control the windows. That's how the whole browser is built: lots of independent processes limited on what they can do and able only to talk to each other over well defined interfaces.

Ever have a customer that purchased your $30k services, you spend 2 weeks discussing how everything works and everything you'll need with them, you sign all the contracts/etc, then when you're ready to go you contact their tech admin to get Remote Desktop to set things up, and they strait out refuse to give you access.

Now, the customer also says that the only reason they are willing to get our services is because we told them we can have it running in under 1 week. From a legal standpoint, we would be fine,

We should eliminate all possible sources of exploits regardless if they are attached to useful things. I have the perfect computer:

- Runs Linux with all the latest security kernel enhancements.- No browser installed to prevent users from accidentally finding something malicious on the net.- Not network connected to prevent attacks from outside.- No monitor to prevent people looking over your shoulder stealing your sensitive data.- No Powersupply to make sure it can't be turned on, after all a computer that's not running is secure right?

Yes it is a brilliant idea, for many reasons. Yes there's a possible security exploit. Yes it's quite probably a risk worth taking.

You can't ignore the fact that the browser is the most critical attack surface for any computer connected to the Internet nowadays: often, it's even the only one, given that most other network interactions from home computers are blocked by residential firewalls.

That is a widely common misconception. The vast majority of attacks using the browser are social engineering attacks, phishing and the like. Many of the non-social attacks use the browser as just another vector to gain access to other components of the system, PDFs and Flash being the latest in vogue right now amongst the usual array of windows specific attacks.

There's actually very few exploits aimed at the browser itself in active use.

They are. So let's not use them and instead go for network daemons which sit there idly waiting to also be exploited for malevolent purposes.

My point is here is a tool that provides functionality. It either exists or it is replaced by a similar tool by those who need the functionality. The fact that it is a browser plugin as opposed to a standalone program doesn't necessarily make it any more or less of a security risk. Complaining that this is a security risk but RDP, VNC or many other similar products isn

This can only be a useful alternative to existing tools like TeamViewer if and only if the Chrome browser itself becomes a truly ubiquitous browser, found on EVERY machine. Otherwise, what's the difference if one still has to install software on both systems to make it feasible? In this instance, it's actually two installations, given the need to install the extension as well as the browser itself.

They could have at least used their own damn implementation of the NX protocol [google.com] and got work going around porting it to Windows and Mac. Maybe then NX would finally start to replace VNC and the FLOSS community would have a high quality remote desktop environment (and by high quality I mean HDX responsiveness). Or, god forbid, an HTML 5 client -like Ericom's AccessNow [ericom.com] which is marketed for Chromebooks. You know, anything other than reinventing the damn wheel.

I had to connect to some machines in California from London via VNC the other day. A timely reminder of how much I hate that protocol: it's so slow. RDP completely kicks its arse. The OS X server side implementation seems particularly slow, but even with everything turned down in TightVNC and JPEG compression turned up, it's still horrible (and there are all of the bugs in TightVNC on Windows, like on some machines failing to redraw the screen). Only RDP seems to be able to cope with higher latency conn

The fallback is to use Google servers. Are there any guarantees Google can't track that data is some way? I don't know enough about how this works to have any idea what's technically feasible. If it is feasible, is this another one of those things where people will say, "Well, they're a private company. They can do anything they want"? Who's looked at this? What have they found?

That's a fairly minor wrinkle on the main one. Setting up browser control of OS may not be that big a deal on the tech support

I think you might be confused about what a firewall actually does. Without reviewing the product at all I'm just gonna go ahead and say "no." Not unless you punch a hole in the firewall at least. Making it so that hole can be on port 80 is something VNC can do as well that does *not* actually make it more secure.

When you design software, you can either design with security as part of the architecture or not. Secure software designs still have problems, but it's the difference between a pinhole and a barn door.

Unix systems were much more secure than Windows systems for years (whether they are now is up to debate). The reason is that Microsoft had to take drastic measures over more than a decade to secure their system was because their architecture was never designed with security in mind. Unix didn't have the problem - as a multiuser system, security was part of the design, so replacing insecure pieces with secure components (think rsh -> ssh, crypt() to md5(), shadow, etc.) was much easier.

In order to have a remote desktop application be part of a web browser, you need to break the security of the browser and reach the base system. I don't know how the extension framework for Chrome works (I only use it for webcomics), but I would definitely think twice before installing something like this onto a piece of software that regularly communicates with untrusted data (which is primarily what a web browser does).